Separate component for buffer overflow protection

Comodo attempts to accommodate users who do not want to install the whole CIS suite by offering installation components: AVS, Firewall and Defense+. I propose to give users the option of installing the buffer overflow protection (memory firewall) without the other Defense+ features. The reason is that Defense+, both currently and historically, has the most compatibility issues with other third-party software.

Here is an example of a security software that is broken by v5.0 of Defense+:
http://www.sandboxie.com/phpbb/viewtopic.php?t=9045&postdays=0&postorder=asc&start=0

Users report success by permanently disabling Defense+, but they would be better protected if they could keep Comodo’s buffer overflow protection.

Another advantage of having buffer overflow protection as a separate component is that it helps in narrowing down bugs and compatibility problems.

Part of the problem is Comodo’s buggy implementation of Buffer Overflow protection. For some reason, some programs work if you add them to buffer overflow exclusions, some require that buffer overflow protection be turned off, and some require that defense+ be turned off. I can’t really condone usability designed around a bug. They should just fix the bug(s).

Bugs aside, I offer a design solution more consistent with the CIS UI in my Application System Activity Control Charrette thread (Stickied on the wishlist forum). It essentially adds Shellcode Injections as a type of Access Right.

My understanding is that compatibility problems between Comodo’s buffer overflow protection and particular programs is due to poor/unsafe programming practice by the particular programs. For example, execution from data space. Programs released since Windows introduced DEP in XP generally have paid attention to this issue. I have been using CIS since it first came out, and I haven’t had to add even one program to the exception list for buffer overflow protection.

It is not possible for Comodo to provide buffer overflow protection for all programs and avoid compatibility problems with programs that execute from data space. This is why Comodo provides an exception list – not because of a Comodo bug.

In providing Defense+, Comodo is hooking Microsoft’s software without Microsoft’s cooperation. It is not possible to do this in a completely compatible way. Comodo puts in a good effort with compatibility for the most-often used third-party software, but their priority may be quite low for compatibility with competitive security software like Sandboxie. I applaud Comodo’s strategy of providing separate installation components for users who want to mix security software to get the balance of security and convenience that is right for them.

I agree that integrating buffer overflow protection exceptions into the Access Rights of Defense+ is advantageous for those who want both components installed. If Comodo provides an integrated suite experience AND a separate installation component for buffer overflow protection, then I would be satisfied. The component for buffer overflow protection would need a GUI for its exception list. Maintaining two separate GUIs for buffer overflow protection is more work for Comodo. If Comodo doesn’t want the extra work, then I would prioritize on a separate installation component for buffer overflow protection.

If Comodo can implement an exception list that consistently works, then what need is there for a separate component? As I understand your solution is a work around, so that in cases where Defense+ would have to be completely disabled (i.e. in cases where the exclusion list was ineffective), the user could uninstall buffer overflow protection. Am I understanding you correctly?

I’m also not sure that a separate gui is needed. For instance, I’m assuming you’re not also in support of a cross-application exclusion management window for say, window messages. Am I assuming correctly?

As an example, take Sandboxie, which is low-level (has a driver) security software that hooks into the OS similar to Defense+. Sandboxie loads its driver at login. Let’s say that the HIPS aspect of Defense+ must be disabled on the latest version of CIS for Sandboxie to work. When I say disabled, I mean totally disabled (for all applications) to avoid the driver conflict, not just disabled when running the Sandboxie control GUI.

Would you offer buffer overflow protection as the only access right when the HIPS aspect of Defense+ is permanently disabled? I had assumed that this would be confusing, but maybe you will come up with something clever. Rules in Computer Security Policy would only need to exist for programs incompatible with buffer overflow protection.

:-TU same