Prosecurity v1.40 BSOD

Discussion in 'other anti-malware software' started by starfish_001, Dec 21, 2007.

Thread Status:
Not open for further replies.
  1. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    After installing rebooting in learning mode .... I get a BSOD whilst still in learning mode .... from memory STOP 0x0000007F a couple of times.

    I have Outpost and KAV installed lastest builds .....

    Each time it happens outpost wants to send a dump so I guess they must be messing with each others drivers?

    Oddly executing outlook express seemed to cause a BSOD each time .... did not have much time to try other apps

    The last time it happened it trashed the registry .... had to revert to a snapshot from earlier. Should have copied the dump for analysis but sadly did not ...

    Has anyone had this during the beta?
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm trying to run PSv1.40 in combination with :

    1. Anti-Executable HIGH
    2. DefenseWall HIPS
    3. Sandboxie
    4. Frozen Snapshot (FirstDefense-ISR)

    It's a painful process, but no BSOD's so far. :cautious:
     
  3. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Had another go ... got a dump file ....analysis is not my strongest but this looks like a KAV problem in klif.sys


    So I guess I need to have another play without KAV
     
  4. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Um seems ok for now .... will try to put KAV back
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Many of my applications are blocked by PS. I can't open them anymore. I have to configure them one-by-one.
     
  6. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    If you use programs like ProSecurity or SSM without giving them enough learning time with repeated reboots or try to make them work just configuring rules you will always be prone to blocks or BSODS.

    I've just downloaded 1.40 and used it for a couple of days in learning mode in spite of having transferred all settings and rules from my previous use of version 1.30.
    This way there's no problem at all btw all my programs which are ProSecurity 1.40,GeSWall 2.6 free,ComodoV3 no HIPS,Boclean,Returnil.
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    One important step when first running ProSecurity in Learning Mode is to restart Windows and not log in until the logon-screen screensaver kicks in. The "ScreenSaveTimeOut" is set to ten minutes by default but can be easily reduced using regedit. If ProSecurity does not learn this Winlogon behavior, you will not be able to log in to your desktop when the screensaver is active.

    You can also minimize a lot of annoying Library alerts by exercising as many context (right-click) menus as possible.

    Nick
     

    Attached Files:

  8. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Thanks guys but this is not a learning thing..... It crashes in learning mode.
    With KAV gone all is well .... works fine with NOD
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    One big plus of all this in ProSecurity's favor and us is that whatever the issue or however long problems seem to persist, ProSecurity's developer still keeps plugging away at them.
    I was so let down before myself, because a BSOD from any app discourages me for fear it might do some real damage so my instict is to pull the app untill issues are resolved.

    This is one HIPS i am anxiously awaiting for to spring to maturity. LoL
     
  10. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Looking at the crash dump I don't think this is PS's fault.....either a Prevx or KAV problem

    With the new build of NOD out and as I have a 2 year for NOD and a 6 month Trial for KAV I have swapped KAV out for now. NOD v3 had been causing me problems with images display on ebay

    At the moment PS is an important part of my setup.... may be SSM or OA .... or perhaps Threatfire..... can displace it but not for now
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Yeah, it takes longer for some developers to address cross security apps compatibilties then others simply because, especially popular commercial apps, they are constantly making adjustments to their code and thats usually when new conflicts crop up. It's a constantly keeping up with the changes of other programs that keep developers so busy all the time, especially where regards HIPS since they're designed to deeply embed against potential intuders.
     
    Last edited: Dec 22, 2007
  12. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Running the latest version of KIS ( MP1 Build 321) and PS v1.40 with absolutely no ill effects at all. In fact have never had a BSOD when running PS.

    I think that nick s' point and all other points about learning mode are extremely important. I certainly left learning mode on for a number of days.:D
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    Well I took to heart the comment about learning mode. Tried to run some of the stuff that was tripping up the com/dde stuff in the new versions. Even in learning mode, the programs just don't run. Still to buggy for me to use.
     
  14. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    Many of the posters seemed to ......fail to notice this detail.


    At the moment I prefer v1.30
     
  15. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    There's a known bug in the way 1.40's learning mode processes new OLE rules. OLE rules are added with the "Ask user" action rather than "Allow to be accessed". You have to manually change the action using the rule's context menu. Doing so solved any DDE/OLE/COM problems I experienced.

    Nick
     

    Attached Files:

  16. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Version 1.4 will not coexost with Outpost and KAV on my system .... without exception always leads to a BSOD. Even in learning mode


    UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
    This means a trap occurred in kernel mode, and it's a trap of a kind
    that the kernel isn't allowed to have/catch (bound trap) or that
    is always instant death (double fault). The first number in the
    bugcheck params is the number of the trap (8 = double fault, etc)
    Consult an Intel x86 family manual to learn more about what these
    traps are. Here is a *portion* of those codes:
    If kv shows a taskGate
    use .tss on the part before the colon, then kv.
    Else if kv shows a trapframe
    use .trap on that value
    Else
    .trap on the appropriate frame will show where the trap was taken
    (on x86, this will be the ebp that goes with the procedure KiTrap)
    Endif
    kb will then show the corrected stack.
    Arguments:
    Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
    Arg2: 80042000
    Arg3: 00000000
    Arg4: 00000000

    Debugging Details:
    ------------------




    BUGCHECK_STR: 0x7f_8

    CUSTOMER_CRASH_COUNT: 2

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    PROCESS_NAME: explorer.exe

    LAST_CONTROL_TRANSFER: from 80565088 to 80564ed8

    STACK_TEXT:
    f3228020 80565088 867c6b10 e32cf580 00000000 nt!SeOpenObjectAuditAlarm+0x8
    f3228068 80564166 e32cf580 f32281bc 00000001 nt!ObCheckObjectAccess+0xc2
    f3228118 805642ad 00000001 8516a988 e32cf580 nt!ObpIncrementHandleCount+0x1f7
    f3228180 8056bc49 00000001 e32cf580 867c6ad0 nt!ObpCreateHandle+0x17d
    f3228250 8056c2b6 e32cf580 00000000 00000000 nt!ObOpenObjectByPointer+0xa4
    f32282ac 8056c056 ffffffff 00000008 00000000 nt!NtOpenProcessTokenEx+0x94
    f32282c4 804de7ec ffffffff 00000008 f3228364 nt!NtOpenProcessToken+0x15
    f32282c4 804dd069 ffffffff 00000008 f3228364 nt!KiFastCallEntry+0xf8
    f3228348 f59fc001 ffffffff 00000008 f3228364 nt!ZwOpenProcessToken+0x11
    WARNING: Stack unwind information not available. Following frames may be wrong.
    f3228398 804e4152 80561640 84d79ef0 f32283bc klif+0xc001
    f32283ac 804e3d38 85536688 84c91000 00000000 nt!KeInsertQueue+0x25
    f32283b8 00000000 00000000 84c91008 84c91008 nt!IopfCompleteRequest+0xa2


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    klif+c001
    f59fc001 ?? o_O

    SYMBOL_STACK_INDEX: 9

    SYMBOL_NAME: klif+c001

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: klif

    IMAGE_NAME: klif.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 476a38ed

    FAILURE_BUCKET_ID: 0x7f_8_klif+c001

    BUCKET_ID: 0x7f_8_klif+c001


    Gone back to version 1.30
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    Did you run the rule wizard
     
  18. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    Yes and then left in learning mode. 1.40 is a real problem with KAV for me yet with NOD seems ok.

    I prefer version 1.30 overall
     
  19. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    I am using OP 2008 + KIS 7 and PS 1.4 without any crashes. I had set OP to auto-learn (because I recently upgraded to the latest build) and I had used the rule wizard to trust most of the existing applications on my PC after I installed it from scratch.

     
  20. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Interesting ....
     
  21. PSDeveloper

    PSDeveloper Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    93
  22. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
  23. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Opposite to what i wrote on Dec.,21 i later did have a minor problem running both PS 1.40 and Comodo V3 as the latter cmdagent.exe kept being blocked by OLE/DDE/COM at boot for a few annoying seconds.
    I reported all this at the ProSecurity forum in a thread named 'cmdagent blocked'.
    In spite of all my efforts (i really liked the new V3) i couldnt bring the combination to work all right, so,i reinstalled both Comodo 2.4 (no behaviour analysis) and ProSecurity 1.40 and they,along with GeSWall and Returnil, finally work 100% OK giving me some respite and joy.

    I find ProSecurity 1.40 great and better than its predecessor,which was also a fine piece of software.

    IMHO you cannot add something that works even remotely similar to PS,or,sooner or later , you pay a price.
    (it happened to me with Comodo V3 because this company downloads Defense+ and Basic firewall as a block and you cannot chose to NOT do it, being limited to disabling Defense+ ...but some important files belong to the Basic firewall as well, creating possible conflicts or malfunctions )

    Especially, if you dont reboot a couple of times prior to touching ANYTHING after install,including particularly Registration, and you dont use all the provided means to make your system COMPLETELY known to PS, that is,either a previous 1.30 rule import + learning mode for a few days, or a Wizard + learning mode for a few days using everything you run at least once= i have found the thing will not work properly.

    I did what i suggested above with 1.30 and i had no problems whatsoever for a year,now i erred a first time with version 1.40,but i amended now and i hope 1.40 is as stable as 1.30.....since a few days it is.....to me it is the security program N°1.
     
  24. PSDeveloper

    PSDeveloper Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    93
    To smith2006:
    I'm sorry, v1.41 doesn't support on XP SP3. It's a bit early to do this, it's only in RC period. ;)
    But maybe the next version will support on SP3.

    To poirot:
    Thank you very much!
    The OLE problem will be fixed in the v1.41.
     
  25. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    Hi,

    Thanks for the response.

    In that case, I will have to wait. :'(
     
Thread Status:
Not open for further replies.