Process Termination Protection only valid for 64bit processes

-install CIS on Vista x64
-create D+ rules to protect an app from termination

IF the app is a 64bit process, access will be denied. IF the app is a 32bit process, no measure will be taken.

This is especially concerning if you have 3rd party antivirus which you want to protect. Because most 64bit AV software, although having 64bit drivers, still has 32bit executables. If you’re trying to enforce their shielding with CFP, you will fail.

Pardon for the bump, but this doesn’t seem to have attracted the attention of any staff willing to at least explain why this is so?

We’ll try to reproduce it, and if reproduced - fix it.

We can not reproduce it on our environment. Could you give us more detail information (which application do you close and which tool do you use for closing).

Thanks.

Task Manager. To reproduce it, set Defense+ rules to protect an app which runs on 32bit. Pick any process that has *32 after its name from Task Manager’s Processes list and create D+ rules for it against process termination. Task manager will still be able to close it through the End Task button.

It’s not just my system. I noticed it on every 64bit environment.

Processes I could terminate: nod32 2.7’s 2 processes, firefox, yahoo messenger, ati2evxx.exe(ATI service) - all were 32bit
Processes I could not terminate: comodo’s 2 processes, explorer, ccc.exe(ATI) - all were 64bit

We tried to reproduce it with firefox v3 and yahoo messenger - they were 32bit. All was ok. We used next way for protecting application:

  1. Go to Computer Security Policy.
  2. Open application’s policies (Application System Activity Control) → Protection Settings and Set yes radio button Process Terminations. And after that we could not terminate process via Task Manager. Have you done this steps for protecting?

I appologize for the confusion. It was caused by contradictory behaveiour I had been witnessing. Upon a thorough retest I was able to find the cause of my confusion and properly determine where the protection fails.

Comodo does indeed seem to protect both 32 and 64 bit processes correctly. All except for one category: Symantec products.

Symantec products are not protectable. I have LiveUpdate, Norton Ghost and Symantec AV Corp. installed. While the interface applications that are launched by clicking on the tray icons are indeed protected by Comodo, the services themselves are NOT. They are in the exact same folder and subject to the same asterisk rule. But for some reason they can be terminated.

Symantec applications possess something called Tamper Protection. It is a feature found in Norton or Symantec AV products that, when enabled, blocks ALL Symantec apps from being terminated, save for the UIs, possibly to prevent the need of a system restart in case an UI jams for whatever reason.

While this protection is completly absent on the 64bit versions, with the Tamper Protection feature being completly unavailable on install, perhaps some part of the enforcement mechanism still exists and it prevents Comodo’s own from functioning?

I hope I’ve not caused you too great a deal of trouble, but maybe you could look into it…

More information about Tamper Protection absence here. It partially explains how the protection works, and so might be of help. https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=9589