Secure Shopping module causes BSOD when running the game Take On Mars [M2225]

cocalaur · April 2, 2017, 7:28pm

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Open the file with CIS installed and you will get the BSOD (dump attached)

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
Open the file after you install Take on Mars PC game and the PC crashes (at least on my end).

One or two sentences explaining what actually happened:
Just BSOD when trying to run the game.

One or two sentences explaining what you expected to happen:
Game runs and no BSOD

If a software compatibility problem have you tried the advice to make programs work with CIS?:
I tried setting compatibility mode on game’s exe (Windows 7), tried running as admin, tried integrated video card,
tried dedicated video card. I do have the latest NVIDIA drivers.

Any software except CIS/OS involved? If so - name, & exact version:
No

Any other information, eg your guess at the cause, how you tried to fix it etc:
Analyzed the dumps from Microsoft and found out the likely fault in cmdcss.sys
which I found out that is related to Secure Shopping environment.

The file was not run in sandbox nor in secure shopping and I didn’t block any execution.
(allowed everything in COMODO). The game’s exe is digitally signed.

B. YOUR SETUP

Exact CIS version & configuration:
Version 10.0.0.6092, config attached

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Sandbox, AV, Viruscope, Secure Shopping, Firewall, Website Filtering

Have you made any other changes to the default config? (egs here.):
Attached config as well.

Have you updated (without uninstall) from CIS 5, 6 or 7?:
No.

Have you imported a config from a previous version of CIS:
No.

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 10 x64 build 14393 64 bit, UAC set to default, Admin account, no Virtual Machine (Real system).

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=Cybereason RansomFree b=No

cocalaur · April 2, 2017, 7:34pm

Game’s web address:

qmarius · April 2, 2017, 7:41pm

You’ll have to provide a complete memory dump for investigation. ^
Is there any trial version, maybe?

cocalaur · April 2, 2017, 7:57pm

No trial version.

I will try to provide a complete memory dump now.

cocalaur · April 2, 2017, 8:15pm

Hmm… for some reason it generates only small dumps… even if I have it selected to full dumps.

I will check again.

https://s16.postimg.org/au464nqtx/Capture.png

qmarius · April 2, 2017, 8:17pm

Do note it’s located under %SystemRoot%\MEMORY.DMP as pointed out in your screenshot. Just to double-check.

futuretech · April 6, 2017, 3:40pm

Please check again with Comodo Internet Security v10.0.1.6209 thanks.

wagnerpsc · April 12, 2017, 7:28am

i’ve got the same issue with GTA V,the computer crashes with a BSOD saying that cmdcss.sys failed,for what i googled it’s a secure shopping related file,i tried deleting it but then my keyboard stops working,not even fully uninstalling CIS fixes it,help please

wagnerpsc · April 14, 2017, 4:25pm

since no one bothers to reply or attend to this bug i found a fix myself:
go to HKEY_LOCAL_MACHINE/system/currentcontrolset/control/class and find the key {4D36E96B-E325-11CE-BFC1-08002BE10318
check if there is a UpperFilters sub key inside it,if so maybe it has “cmdcss.sys” on the value,simple edit and change to kbdclass,just simple as that!
just do it on your own risk,i suggest seeking another opinion or making a backup of the registry before it

futuretech · April 15, 2017, 3:48pm

You can switch it to kernel memory dumps and try again.

The proper way for this bug to get fixed is provide memory dumps when you get a BSoD. Changing the registry and trying to delete kernel driver is not a good idea and can lead to further unexpected issues. You can try to turn off secure shopping by opening CIS settings and going to advanced protection > secure shopping. Or you can uninstall secure shopping as it is a standalone component if you don’t use it.

futuretech · April 24, 2017, 7:33pm

Please check again with version 10.0.1.6223 thanks.

cocalaur · April 24, 2017, 8:57pm

Hi.

I have checked and unfortunately, the blue screen is still displaying.

Thank you for your effort and consideration though maybe it can be fixed in future version or maybe there is another app that conflicts with Comodo.

https://s30.postimg.org/4xxty1jox/IMG_20170424_234411.jpg

With this new version I have also restested Secure Shopping (Secure Browser module) against screen recording app (oCam 382.00) and the contents of the window is still shown. (not shown in full secure shopping environment).

Hopefully there will be a fix for this leak also in future versions.

Thank you again for the consideration

futuretech · April 24, 2017, 9:02pm

Can you link the memory dump and is it bigger than a mini-dump? Such as a complete or kernel memory dump.

cocalaur · April 24, 2017, 9:12pm

Hi.

I am very sorry but the system for some reason won’t take the complete memory dump, only minidump. :embarassed:
(even if I played with the settings and selected complete dump).

In the past I also tried to force complete memory dump but for some reason was unsuccessful.

cocalaur · April 24, 2017, 10:33pm

Update: I have figured it out why the system would not dump full memory.

Note to self (and tip to others): Always make sure page file is at least the same size as RAM

I am currently archiving and splitting the dump in order to be able to share it with you. (It is an ~16 GB file)

futuretech · April 24, 2017, 10:37pm

You know I was going to ask about that (page file set size) earlier but I didn’t think that would be an issue because windows would have said the pagefile is not big enough for the type of dump you set it as.

You probably don’t need a complete dump, setting to kernel memory dump should be enough as its an issue with a kernel mode driver. So if you can set it to kernel memory and send the resulting dump, it should be much smaller than 16 GB.

cocalaur · April 24, 2017, 10:55pm

Right now it is almost done splitting the dump file.

I hope this would not mean too much work on your behalf…
But I usually keep paging fully disabled or to a fixed small amount
because I have an SSD and want to avoid too much wear, especially since I have got sufficient RAM.

I will post the full dump here once it’s ready.

And i hope tomorrow i have time again to capture a kernel dump memory only.

cocalaur · April 25, 2017, 3:17am

Dumps:

https://we.tl/g906ZSebXJ

https://we.tl/4iA5RDzlMe

https://we.tl/mXmUwSKxZT

https://we.tl/lCTFo33W2B

https://we.tl/C9ttjGCjdr

https://we.tl/Rjq1Cc1eAo

https://we.tl/AmGPsFnBPh

cocalaur · April 25, 2017, 3:18am

I hope this will be useful for the team.

cocalaur · May 1, 2017, 7:24pm

Files will get deleted from the hosting website in about 4 hours from today.

I hope the team has managed to download them.