Turn off guard32 for certain programs

As a developer, having guard32.dll loaded into every single program is extremely annoying. Here’s why:

  1. guard32 adds a lot of memory usage (if not leaks).
  2. guard32 fails under “Basics > Memory” in Application Verifier. It’s very annoying having guard32 trigger a breakpoint every time my program exits.
  3. guard32’s hooking is extremely annoying when viewing stack traces.

Is there a way to stop guard32.dll from being loaded for certain programs? If not, please add an option to do so.

maybe this will help

https://forums.comodo.com/bug-reports/guard32dll-and-problems-with-javaexe-t23488.15.html

Is guard32.dll safe? How to remove a guard32 error? (what it is)

Regards,
Valentin

Thanks for the links, but they don’t help me turn off guard32.

Hi,
this problem was very severe on Comodo firewall.
I have also experienced that guard32.dll ( Or CIS some partof it)were causing apps to break when exiting leaving orphaned windows on desktop.
after lot of hit and miss trial disabling the sandbox solved the problem of hitting breakpoint when application was about to exit in Dev environement while debugging.
however you can minimise the Impact by disabling the sandbox,while keeping D+ enabled.
guard32 will still load. breakpoint problem will be solved.

( suggestion )if you are dev it will be nice to disable d+ permanently

Regards
Adi

to wj32

If you still have the guard32.dll problem… (maybe you solved it in the meantime)

I was playing a bit and discovered that guard32.dll was creating some holes in my very customized config
(because it overrides some registry writes rules for driver installation with services.exe),
so I I’ve disabled guard32.dll globally. It did that on CIS 3.14.

How : just renaming to ‘_guard32.dll’ (with a leading underscore) these two files :
windir\system32\guard32.dll
programfiles\Comodo\COMODO Internet Security\repair\guard32.dll
and reboot…

ProcessExplorer will show that guard32.dll is no more loaded in any app, and everything seems fine.
(CIS works normally as far as I can see and does not complain about missing guard32.dll)

However, if you want guard32.dll to be loaded by the System Process and other Core Processes
(because guard32.dll makes some Comodo alerts be more simple),
but NOT by programs starting after the boot has completed, here what I would do:

  • create a program that rename guard32.dll to _guard32.dll on each boot (or ‘logon’)
  • create a program that rename back _guard32.dll to guard32.dll on each shutdown (or ‘logoff’)

these 2 programs can be set as ‘boot script’ and ‘shutdown script’, or ‘logon script’ and ‘logoff script’,
in the Windows Group Policy :
“C:\WINDOWS\system32\mmc.exe” “C:\WINDOWS\system32\gpedit.msc”
(these ‘scripts’ can be any executable, not only .vbs scripts)

Of course you must give these 2 programs the right to rename guard32.dll in CIS rules.

PS : same idea as here in fact…
https://forums.comodo.com/orphanedresolvedoutdated-issues-cis/cis4-d-preventing-techland-xpand-rally-game-running-probable-bug-t55088.0.html;msg390965#msg390965

This won’t help you to delete/disable guard32dll but it will help you understand that this dll is apart of CIS and if you turn it off you will turn CIS off as well.

Regards,
Valentin

To Valentinchen,

This won't help you to delete/disable guard32dll but it will help you understand that this dll is apart of CIS and if you turn it off you will turn CIS off as well
Are you sure of what you say ?

I did some tests with CLT (Comodo Leak Test) and botester (Comodo Buffer Overflow tester), under CIS 3.14 (I can’t speak for CIS v4 and v5), paranoid mode, WinXP SP3, without guard32.dll loaded (I renamed it to _guard32.dll and rebooted, and checked it was not in memory)

  • HIPS and Firewall seem to work (success in all CLT tests, and for internet connection attempts)
  • Buffer overflow protection does NOT seem to work (however you can install the discontinued Comodo Memory Firewall, at least over CIS 3.14, and succeed in the buffer overflow tests, also you could activate Windows DEP protection for all programs)
  • Some people report the Comodo Antivirus and automatic SandBoxing will NOT work without guard32.dll (I can not test since I don’t use or have them under CIS 3.14)
  • Alerts concerning driver installation are less comprehensive without guard32.dll (but an experienced user should recognize registry writes to registry root : hklm\system\controlset???\services[servicename] as part of a driver/service installation)

The two links you provide give no proof that CIS will not really protect you without guard32.dll (with the limitation given above)
If you have any link to some comment of a Comodo developper/expert saying that CIS (v3 or v4 or v5) will not effectively protect you without guard32.dll, I would nevertheless be interested :slight_smile: (since this dll is still a problem for me and many people)

jukilo… when I provided you with those link I read fast through and I understood that it’s related to CIS protection. I wanted to give you a hand and nothing else.

Regards,
Valentin

No problem Valentinchen :slight_smile:
guard32.dll is a problem for me, so I’m still testing CIS 3.14 without it
(and searching the forum for possible bad effects of disabling it)

Regards.

I recommend you to download the latest CIS for the best security.

Regards,
Valentin

I doubt a user-mode component such as guard32.dll would be an essential part of D+, considering how easy it is to bypass it.

isn’t this dll more for related to the firewall?

Guard32.dll may be related to the firewall, but it is also related to the way Defense+ will alert you.
Especially concerning driver installs with Services.exe, through the Services control manager : \RPC Control\ntsvcs (with guard32.dll disabled you get multiple alerts for a single drive install, which is less user friendly).

a quick hexadecimal look inside guard32.dll file (this might be related) :

bad exception.......H.K.L.M.\.S.Y.S.T.E.M.\.C.o.n.t.r.o.l.S.e.t.?.?.?.\.S.e.r.v.i.c.e.s.\...OpenServiceA....advapi32.dll....OpenServiceW....CreateServiceA..CreateServiceW

wj32,

Havent’ read all link here…
Did you try adding the program to D+, Settings, Execution Control, Shell Code Exclusions?
Afaik you have to reboot in order to have it pass.