Shell Code Injection - log entries but no alerts and prog does not start [264]

The bug/issue

  1. What you did: Tried to run the program
  2. What actually happened or you actually saw: Program does not start. In the journal shell code injection record.
  3. What you expected to happen or see: A window will appear with a warning.
  4. How you tried to fix it & what happened: Remove the program from the list of trusted files - warning start work.
  5. Details (exact version) of any software involved with download link: Program is closed from public use, sorry.
  6. Any other information you think may help us: Yesterday, the same behavior was with Dimond Tools, when I removed it from the list of trusted files - got a warning box on startup. Today I can not repeat the same, impression that DT is still on the list of trusted files, because when I tried to add it manually to this list, I got a warning that he’s there, but I do not see it in the list.

Files appended

  1. Screenshots illustrating the bug: none
  2. Screenshots of related event logs or the active processes list: none
  3. A CIS config report or file: none
  4. Crash or freeze dump file: none

Your set-up

  1. CIS version & configuration used: 5.0.162636.1135 (Proactive security)
  2. Whether you imported a configuration, if so from what version: Fresh install
  3. Defense+ and Sandbox OR Firewall security level: Standart
  4. OS version, service pack, no of bits, UAC setting, & account type: Windows 7, 32 bit, N/A, Admin account.
  5. Other security and utility software running: Comodo LivePCsupport, Sandboxie.
  6. CIS AV database version: 6158

UPD: to 6 item bug/issue. After changing the configuration on the Internet Security, received a one-time warning when run DT. Switch back to Proactive Security, received a warning too, but only once - reboot and try again to repeat the same thing did not work. Maybe this update will help.

If the diamond tools issue is the same issue, could you re-phrease this report in terms of Diamond tools, and gie a download link? (I’m not quite sure because you don’t say what alert you received for DT). Screenshots or alerts and logs would help clarify matter if available.

The devs will need to replicate the problem, so we need a bit of software than demonstrates it!

Best wishes and many thanks in anticipation

Mouse

Hi Mouse. Yes, the same result a problem - the absence of any warning, but the reasons causing it different. In the first case helped easily removed from the list of trusted files, in the second case this was not enough. To start Dimond Tools Lite must also switching the between configurations, so I think there deeper problem - perhaps some sort of uncorrect creation of the rules at the time of switching, but I’m not sure that this the problem, because it helps not every time.

I understand that it is impossible to reproduce problem without a program, but do not want to send devs the wrong solutions. The main and global reason of problem is a list of trusted files - If the file is listed, it does not give warnings. What would prepare a complete bug reports, with 100% reproduce, then need to find some third file which is also not cause alarm, but only logged, because issue with DT contains more than one bug. Maybe you seen some?

Best regards, Alex.

I think the lack of alerts for trusted files is probably what most users would want. So the problem applies when you don’t get an alert for an unknown/unrecognised file.

CIS has an internal invisible whitelist, as well as a cloud whitelist, and a trusted vendor list according to Egemen. If CIS says a file is already trusted, it likely is!

So am I right that this problem only occurs with the programs that’s ‘closed from public use’?

Does closed from public use mean ‘copyright protected’ (in which case there might be a trialware version) or does it mean the devs just cannot get hold of it under any circumstances…?

I think someone mentioned BO logs in this forum, so you could try searching… But then you need one that generates no alert.

I’m afriad I could not follow waht you were saying about configurations? Configurations of what? Which choices? :slight_smile:

Best wishes

Mouse

If your trusted program is a browser and the alert is from some malicious web site then I would have thought the user should want to know.

Fair point - beyond my knowledge now! Lets see if we can get an example file documented, then see what the devs say.

Yes, they will be happy not to receive any warning if program will start :D. I thought I said that she does not run - forgot, sorry. It is not difficult for me to watch D+ log, and understanding the reason for not running, add the exceptions. I just think everything should work as it was conceived, but now the files in the list of trusted not passed without notice, but rather blocked :), and people are forced to program’s like DT etc. add to exceptions manualy.

Devs just cannot get hold of it, I am bound by certain obligations, sorry again. But in fact the program is not important, we can take any, with not working Shell Code alert.

Thanks, can gets caught, something.

I mean switching between Internet Security and Proaсtive Security - back and forth several times.

Have a nice time, Alex.

The reproducible issue here is that this user does not seem to be getting a BO alert for trusted files. This is seems as a problem because the trusted file might be internet facing and subject to a BO attack from the internet.

He also seems to have an App for which BO is logged but not alerted, but that app is inaccessible to the devs. I have not been able to find another

Forwarding to verified on this basis.

[at]Imlookingdefence: if you are able to reproduce the second issue with another app please do append it to an additional post in this topic. (You cannot edit pre-existing posts after transfer).

Many thanks

Mouse